Cloud Security Alliance Zero Trust CCZT Questions & Answers

• Question 1:

  How can we use ZT to ensure that only legitimate users can access a SaaS or PaaS? Select the best answer.

  A. Implementing micro-segmentation and mutual Transport Layer Security (mTLS)

  B. Configuring the security assertion markup language (SAML) service provider only to accept requests from the designated ZT gateway

  C. Integrating behavior analysis and geofencing as part of ZT controls

  D. Enforcing multi-factor authentication (MFA) and single-sign on (SSO)

  Correct Answer: B

  (Configuring the security assertion markup language (SAML) service provider only to accept requests from the designated ZT gateway) Explanation: Configuring SAML to accept requests only from the designated ZT gateway ensures that all access requests are authenticated and authorized appropriately. References: Zero Trust Architecture related sources including NIST

• Question 2:

  What is one benefit of the protect surface in a ZTA for an organization implementing controls?

  A. Controls can be implemented at all ingress and egress points of the network and minimize risk.

  B. Controls can be implemented at the perimeter of the network and minimize risk.

  C. Controls can be moved away from the asset and minimize risk.

  D. Controls can be moved closer to the asset and minimize risk.

  Correct Answer: D

  The protect surface in a ZTA is the collection of sensitive data, assets, applications, and services (DAAS) that require protection from threats1. One benefit of the protect surface in a ZTA for an organization implementing controls is that it allows the controls to be moved closer to the asset and minimize risk. This means that instead of relying on a single perimeter or boundary to protect the entire network, ZTA enables granular and dynamic controlsthat are applied at or near the DAAS components, based on the principle of least privilege2. This reduces the attack surface and the potential impact of a breach, as well as improves the visibility and agility of the security posture3. References: Zero Trust Architecture | NIST Zero Trust Architecture Explained: A Step-by-Step Approach - Comparitech What is Zero Trust Architecture (ZTA)? - CrowdStrike

• Question 3:

  In a ZTA, the logical combination of both the policy engine (PE) and policy administrator (PA) is called

  A. policy decision point (PDP)

  B. role-based access O C. policy enforcement point (PEP)

  C. data access policy

  Correct Answer: A

  In a ZTA, the logical combination of both the policy engine (PE) and policy administrator (PA) is called the policy decision point (PDP). The PE is the component that evaluates the policies and the contextual data collected from various

  sources and generates an access decision. The PA is the component that establishes or terminates the communication between a subject and a resource based on the access decision. The PDP communicates with the policy enforcement

  point (PEP), which enforces the access decision on the resource.

  References:

  Certificate of Competence in Zero Trust (CCZT) prepkit, page 14, section 2.2.2 Zero Trust Architecture Project - NIST Computer Security Resource Center, slide 9 What Is a Zero Trust Security Framework? | Votiro, section "The Policy Engine

  and Policy Administrator"

  Zero Trust Frameworks Architecture Guide - Cisco, page 4, section "Policy Decision Point"

• Question 4:

  The following list describes the SDP onboarding process/procedure.

  What is the third step? 1. SDP controllers are brought online first. 2.

  Accepting hosts are enlisted as SDP gateways that connect to and authenticate with the SDP controller. 3.

  A. Initiating hosts are then onboarded and authenticated by the SDP gateway

  B. Clients on the initiating hosts are then onboarded and authenticated by the SDP controller

  C. SDP gateway is brought online

  D. Finally, SDP controllers are then brought online

  Correct Answer: A

  The third step in the SDP onboarding process is to onboard and authenticate the initiating hosts, which are the clients that request access to the protected resources. The initiating hosts connect to and authenticate with the SDP gateway,

  which acts as an accepting host and a proxy for the protected resources. The SDP gateway verifies the identity and posture of the initiating hosts and grants them access to the resources based on the policies defined by the SDP controller.

  References:

  Certificate of Competence in Zero Trust (CCZT) prepkit, page 21, section 3.1.2 6 SDP Deployment Models to Achieve Zero Trust | CSA, section "Deployment Models Explained"

  Software-Defined Perimeter (SDP) and Zero Trust | CSA, page 7, section 3.1

• Question 5:

  Which ZT element provides information that providers can use to keep policies dynamically updated?

  A. Communication

  B. Data sources

  C. Identities

  D. Resources

  Correct Answer: B

  Data sources are the ZT element that provide information that providers can use to keep policies dynamically updated. Data sources are the inputs that feed the policy engine and the policy administrator with the relevant data and context about the entities, resources, transactions, and environment in the ZTA. Data sources help to inform the policy decisionsand actions based on the current state and conditions of the ZTA. Data sources can include identity providers, device management systems, threat intelligence feeds, network monitoring tools, etc. References: Certificate of Competence in Zero Trust (CCZT) - Cloud Security Alliance, Zero Trust Training (ZTT) - Module 3: ZTA Architecture and Components

• Question 6:

  What should an organization's data and asset classification be based on?

  A. Location of data

  B. History of data

  C. Sensitivity of data

  D. Recovery of data

  Correct Answer: C

  Data and asset classification should be based on the sensitivity of data, which is the degree to which the data requires protection from unauthorized access, modification, or disclosure. Data sensitivity is determined by the potential impact of data loss, theft, or corruption on the organization, its customers, and its partners. Data sensitivity can also be influenced by legal, regulatory, and contractual obligations. References: Certificate of Competence in Zero Trust (CCZT) prepkit, page 10, section 2.1.1 Identify and protect sensitive business data with Zero Trust, section 1 Secure data with Zero Trust, section 1 SP 800-207, Zero Trust Architecture, page 9, section 3.2.1

• Question 7:

  How can ZTA planning improve the developer experience?

  A. Streamlining access provisioning to deployment environments.

  B. Require deployments to be grouped into quarterly batches.

  C. Use of a third-party tool for continuous integration/continuous deployment (CI/CD) and deployments.

  D. Disallowing DevOps teams access to the pipeline or deployments.

  Correct Answer: A

  ZTA planning can improve the developer experience by streamlining access provisioning to deployment environments. This means that developers can access the resources and services they need to deploy their applications in a fast and secure manner, without having to go through complex and manual processes. ZTA planning can also help to automate and orchestrate the access provisioning using dynamic and granular policies based on the context and attributes of the developers, devices, and applications. References: Certificate of Competence in Zero Trust (CCZT) - Cloud Security Alliance, Zero Trust Training (ZTT) - Module 10: ZTA Planning and Implementation

• Question 8:

  Which architectural consideration needs to be taken into account while deploying SDP? Select the best answer.

  A. How SDP deployment fits into existing network topologies and technologies.

  B. How SDP deployment fits into external vendor assessment.

  C. How SDP deployment fits into existing human resource management systems.

  D. How SDP deployment fits into application validation.

  Correct Answer: A

  A key architectural consideration that needs to be taken into account while deploying SDP is how SDP deployment fits into existing network topologies and technologies. This is because SDP deployment may require changes or adaptations to the existing network infrastructure, such as routers, switches, firewalls, VPNs, etc. SDP deployment may also affect the network performance, availability, scalability, and resilience. Therefore, it is important to assess the impact and compatibility of SDP deployment with the existing network topologies and technologies, and to plan and design the SDP deployment accordingly. References: Certificate of Competence in Zero Trust (CCZT) - Cloud Security Alliance, Zero Trust Training (ZTT) - Module 7: Network Infrastructure and SDP

• Question 9:

  What is a server exploitation threat that SDP features (server isolation, single packet authorization [SPA], and dynamic drop-all firewalls) protect against?

  A. Certificate forgery attacks

  B. Denial of service (DoS)/distributed denial of service (DDoS) attacks

  C. Phishing attacks

  D. Domain name system (DNS) poisoning attacks

  Correct Answer: A

  SDP features protect against certificate forgery attacks by using identity verification mechanisms that prevent attackers from impersonating servers or users.References: Zero Trust Training (ZTT) - Module 8: Testing and Validation

• Question 10:

  ZTA utilizes which of the following to improve the network's security posture?

  A. Micro-segmentation and encryption

  B. Compliance analytics and network communication

  C. Network communication and micro-segmentation

  D. Encryption and compliance analytics

  Correct Answer: A

  Verified Answer= A. Micro-segmentation and encryptionVery Short Explanation= ZTA uses micro-segmentation to divide the network into smaller, isolated segments that can prevent unauthorized access and contain lateral movement. ZTA also uses encryption to protect data in transit and at rest from eavesdropping and tampering.References=1,2,3,4